rx_ring_history is an array of pointers, address of pointer is
always a non-NULL value, this always passed the NULL check,
which leads to NULL pointer dereference, fixing the same.
Change-Id: I401203a6f2a5930869cf4002ac0e714d3fdba62f
CRs-Fixed: 2844038
scenario:
FISA new FST entry is initialed, host will start one timer to
send HTT MSG DP_HTT_FST_CACHE_INVALIDATE_FULL to FW in 5 ms,
WOW suspending happened in the same time, PCIe bus get suspended.
5 ms later, HTT msg sending will try to prevent PCIe L1 to update
CE SRNG HP register, hit assert as PCIe bus suspended already.
suspend and cancel the FSE cache flushing timer when dp_bus_suspend,
resume it when dp_bus_resume.
CRs-Fixed: 2843214
Change-Id: Ie2bc115a0de068335d6c46749f52d205cc21f5a3
The response for the respective TWT operations can either be synchronous
or asynchronous (wherever specified). If synchronous, the response to
this operation is obtained in the corresponding vendor command reply to
the user space. For asynchronous case, the response is obtained as an
event with the same operation type.
Drivers shall support either of these modes but not both simultaneously.
The support for asynchronous mode is advertised through the new flag
QCA_WLAN_VENDOR_FEATURE_TWT_ASYNC_SUPPORT. If the driver does not
include this flag, it shall support synchronous mode.
Change-Id: I359e12c5147b0115158d03a7a08d74beca78455c
CRs-Fixed: 2842872
Define the following additional TWT operations:
QCA_WLAN_TWT_GET_STATS, QCA_WLAN_TWT_CLEAR_STATS,
QCA_WLAN_TWT_GET_CAPABILITIES, QCA_WLAN_TWT_SETUP_READY_NOTIFY.
Also define new attributes to qca_wlan_vendor_attr_twt_setup
and qca_wlan_vendor_attr_twt_nudge.
Change-Id: I687fd215c13aa12741d8ba7af23507f930d0ec81
CRs-Fixed: 2842072
Add support to configure minimum and maximum wake duration
values, minimum and maximum wake interval values for TWT setup.
Change-Id: I69c328815be511833abce0fcd18649e136027f53
CRs-Fixed: 2827115
Direct Buf Rx has a source ring to communicate with the target.
The target updates its tail pointer in little-endian format and this update
doesn't go through any byte-order conversion at the target. On a big-endian
Host platform, this tail pointer will be read in reverse order of bytes.
To fix this, convert the tail pointer to the Host order before using it.
Change-Id: Ibcaf3d7507910ea81eeb895772241ab9861ee45a
CRs-Fixed: 2843259
With current implementation host does not allow
6GHz AP for WPS security, add a change to allow 6GHz AP for WPS.
Change-Id: I9e330f2984a716bb56e47313b65eedb4a1a0e216
CRs-Fixed: 2814259
Do not allocate memory if the ask is larger than the
maximum memory allowed for malloc. We have it limited to 4MB.
CRs-Fixed: 2828104
Change-Id: I5b463dd8eb640c76882653e82e6f6db7cb651cf2
Currently, 6g PSC/non-PSC channels in the scan request are
scanned or optimized to scan only if RNR IE is found based on
the inis scan_mode_6ghz and scan_mode_6ghz_duty_cycle.
As scan_mode_6ghz_duty_cycle is set to 4 by default, first 3
scans are optimized to scan only if RNR IE is found and 4th scan
would be full scan. If there is any standalone AP in 6g channel
that doesn't advertize RNR IE in colocated APs beacons/probe
responses, that's not scanned till the 4th scan.
Reverse the order for scan_mode_6ghz_duty_cycle such that the
first scan of every four scans is a full scan and rest of the
three scans are optimized. So, the standalone 6g APs can be found
in first scan itself based on the ini scan_mode_6ghz.
Change-Id: Ice1614a94f1fd166e283355616ace241a5df2bcb
CRs-Fixed: 2829550
Add a boolean is_chan_hop_blocked in struct regulatory_channel to check
if a channel is blocked for ACS hopping, when the noise detection param
on that particular channel is above the threshold.
Change-Id: Id1c73f1b153d2064eaf3a72a21d14a6f63ad0de4
CRs-Fixed: 2837859
Account for the Tx buffers allocated for IPA during
init. Add this memory to the overall Tx nbuf memory
allocations. Ensure that the nbuf size is taken from
end pointer to head pointer of nbuf.
Change-Id: Ie3a46c7e7674f3f2e1bf9e0791a7eb53d4bb0b21
CRs-Fixed: 2831015
During TCP Tx traffic account for the Tx nbuf memory mapped
and unmapped in the driver.
Change-Id: I40df92f124eec94f2fa3ddc8bcd910615f4539bf
CRs-Fixed: 2831015
WLAN chip components are little-endian based. When such a chip is attached
to a big-endian Host platform, there will be a mismatch in the order of
bytes for the data that is transferred between the Host and target.
Spectral HW module transfers the Spectral report directly to the Host DDR.
This transfer doesn't go through any byte-order conversion at the HW side.
So, to avoid invalid reads at the Host side on a big-endian platform,
convert the Spectral report to the Host byte-order before using it.
Change-Id: I742537f3a95ffca2e12b83535e83e2870ad06b10
CRs-Fixed: 2838371
Add support for WMI_TWT_NUDGE_DIALOG_CMDID and
WMI_TWT_NUDGE_DIALOG_COMPLETE_EVENTID.
Change-Id: I9d4bf1061f6f08479967619ce50d2756c062f55f
CRs-Fixed: 2825138
Support new firmware thermal level WMI_THERMAL_SHUTDOWN_TGT
to indicate target over heat and need to be shutdown completely.
Change-Id: Icdb8aab9fe7b8914681cc46a4ccb5579781c587d
CRs-Fixed: 2835410
When driver doing ipa rx buffer smmu mapping,
qdf_spin_lock_bh is used to protect rx descriptor pool,
but might sleep function is called by API ipa_is_ready.
This causes kernel panic about sleeping function called
from invalid context as following call trace:
Call trace:
___might_sleep+0x204/0x208
__might_sleep+0x50/0x88
__mutex_lock_common+0x5c/0x1078
mutex_lock_nested+0x40/0x50
ipa3_is_ready+0x2c/0x60
ipa_is_ready+0x24/0x38
dp_ipa_handle_rx_buf_pool_smmu_mapping+0x2dc/0x6d0 [wlan]
Move the ipa is ready check function call outside of spin lock.
Change-Id: I5d3a79dff8a045791834733514a40f7c1ccb0d8b
CRs-Fixed: 2839292
Move the WIN only DFS features from common code to WIN specific
Component dev. The following features are moved.
1. WIN Hardware mode switch.
2. StaDFS
3. dfs_set_nol
4. nol_history
CRs-Fixed: 2834311
Change-Id: I6c74dd13a16acb2a67bb3b477b13bc0e4ee165ce
When the number of HTT packets in the endpoint TxQueue is more
than MaxTxQueueDepth, we hit the overflow condition. If the
overflow condition is hit, in htc_try_send(), when EpSendFull()
returns HTC_SEND_FULL_KEEP, we try to send all the excess packets.
As part of this logic, we are calling restore_tx_packet(); the
intention of calling resotre_tx_packet() is to just perform
skb_pull_head(), but restore_tx_packet() will also unmap the
HTT packet. Later, when we try to send the excess packets, these
would be already unmapped and when the HW/FW try to access this
unmapped location, it would lead to SMMU fault.
Change-Id: Ie60a302d6a2736f7aa12944b7016d2bdb9ffb10d
CRs-Fixed: 2836444
Currently, Stats request commands are sent over qmi right from the
target suspend request is sent to FW. This is leading to a crash in
FW since it is trying to access PCI when it is in suspend state.
To address this, send stats request over QMI only after the ack is
received for the target suspend command.
Change-Id: Id7a79d52740916f66476bf911e571c0ff466c7d3
CRs-Fixed: 2838737
Introduce wmi_validate_handle() with the caller function name
embedded in it to validate the WMI handle and log incase
of error. Calling functions can avoid logging in case
wmi_validate_handle() returns -EINVAL. This reduces logging and
thereby memory foot print.
Change-Id: Ie0a6a84ffad6e5cf2da8f547c7209dc77cdf5729
CRs-Fixed: 2838960
Currently, Rx diag event work is not being flushed during idle shutdown.
This may result in use after free access if the scheduled diag event work
gets the chance to execute after driver modules are closed.
To address this, flush diag events work during idle shutdown.
Change-Id: I348e80d2c86a5e070f0fb67d66b758529fede76c
CRs-Fixed: 2838020
Current Linux version of qdf_snprintf() doesn't pass the additional
arguments(...) to snprintf(). As a result, the behavior is undefined.
Fix it by passing the additional arguments as a variable-argument-list to
vsnprintf().
Change-Id: Iea8ee0737907eaaea2df99631316d7d45a8e562f
CRs-Fixed: 2838962
Currently QMI message length is not being validated before
handling QMI event. This is resulting in illegal memory access
when QMI message length is invalid.
To address this, discard QMI events with invalid length.
Change-Id: Ia9f04bcb4fa3b365cbbf2be8885a8d30f78f8f10
CRs-Fixed: 2839277
